Connect with us

Hi, what are you looking for?



Details Published on AWS Flaws Leading to Data Leaks

Researchers at cloud security startup Orca Security have publicly documented a pair of vulnerabilities in AWS CloudFormation and AWS Glue that attackers could use to leak sensitive files or access other customers’ data.

Researchers at cloud security startup Orca Security have publicly documented a pair of vulnerabilities in AWS CloudFormation and AWS Glue that attackers could use to leak sensitive files or access other customers’ data.

The first of the security flaws is described as an XML External Entity (XXE) error that could have been exploited to leak sensitive files stored in the CloudFormation service, as well as to disclose credentials for internal AWS infrastructure services.

CloudFormation is a service that helps users provision AWS resources using templates and to create and configure resources dynamically using API calls.

The XXE vulnerability could have allowed attackers to read files and perform HTTP requests on behalf of a compromised CloudFormation server, according to an advisory from Orca Security.

 [ READ: Remote Code Execution Vulnerability Found in AWS WorkSpaces ]

The host contained multiple AWS service binaries and various configuration files and an attacker could have leveraged the data (including credentials for internal endpoints) to bypass tenant boundaries and gain privileged access to any resource in AWS, the company warned.

The vulnerability was addressed on September 15, 2021, one week after Orca Security reported it to the AWS security response team.

Advertisement. Scroll to continue reading.

Impacting the AWS Glue service, the second vulnerability could have been used to create resources and access the data belonging to other AWS Glue customers. The exploitation process, however, was complex and required multiple steps.

[ READ: Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns ]

The issue could allow an attacker to obtain credentials providing them with full access to internal service API, and then leverage an internal misconfiguration in AWS Glue – a service helping users easily discover and combine data for analytics, application creation, and machine learning – to gain “unrestricted access to all resources for the service in the region, including full administrative privileges,” Orca Security explained.

Successful exploitation of the bug could have allowed an attacker to assume roles in AWS customer accounts trusted by the Glue service, and query and modify AWS Glue service-related resources.

“We are aware of an issue related to AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected. Upon learning of this matter from Orca Security, we took immediate action to mitigate it within hours and have added additional controls to the services to prevent any recurrence,” and AWS spokesperson told SecurityWeek in an emailed response to this article.

*Updated with comment from AWS

Related: Remote Code Execution Vulnerability Found in AWS WorkSpaces

Related: Amazon to Offer Free Cybersecurity Training Materials, MFA Devices

Related: Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...